Blueprint Checklists

Compliance Readiness Checklist

• Determine regulatory classification (FDA, MDR, or exempt)
• Identify applicable data privacy regulations (HIPAA, GDPR, CCPA)
• Engage regulatory counsel
• Begin technical documentation per applicable standards
• Implement HIPAA-compliant infrastructure
• Execute BAAs with all vendors handling PHI
• Conduct Data Protection Impact Assessment (DPIA)
• Establish Quality Management System (QMS)
• Appoint Data Protection Officer (DPO) if required

Design Review Checklist

• Patient safety review: Can any interaction lead to clinical harm?
• Health literacy review: Can a user with low health literacy understand this?
• Accessibility review: WCAG 2.2 AA compliance verified
• Privacy review: Data minimization and consent flows validated
• Error prevention review: Are critical errors prevented, not just recoverable?
• Multi-stakeholder review: Tested with patients, clinicians, and administrators
• Regulatory review: Design aligns with regulatory requirements

Pre-Launch Checklist

• Clinical validation data collected and analyzed
• Regulatory clearance/approval obtained
• HIPAA compliance verified (audit logs, encryption, access controls)
• Security penetration test completed
• BAAs executed with all partners
• Insurance coverage secured (cybersecurity, professional liability)
• Pricing and reimbursement strategy defined
• Customer support system operational
• Monitoring and alerting configured
• Incident response plan documented

Security Audit Checklist

• All PHI encrypted at rest (AES-256) and in transit (TLS 1.3)
• MFA enforced for all production access
• Least-privilege access implemented for all roles
• Audit logging enabled for all PHI access
• Vulnerability scanning integrated into CI/CD
• Dependency scanning active for third-party libraries
• Incident response plan tested within last 6 months
• Penetration test completed within last 12 months
• Backup and disaster recovery procedures tested